-
Notifications
You must be signed in to change notification settings - Fork 825
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: DNS-01 challenge support #1137
Conversation
Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com> Co-authored-by: David Michaluk <d@michal.uk>
Co-authored-by: Nicolas Duchon <nicolas.duchon@gmail.com> Co-authored-by: Gilles Filippini <pini@debian.org>
Added support for wildcard certificates. |
This is available as |
LGTM. |
Can you support configuring the ACMESH_DNS_API_CONFIG on the acme-companion container instead of the proxied application? |
@pgassmann done, updated the The environment variable name on the acme-companion container is |
I don't think this can be tested in CI without obtaining a certificate from a real CA (let's say from Let's Encrypt staging environment) for a real domain whose DNS can be manipulated by acme.sh DNS API. I have a few ideas how to do this but I think it'll need some changes to the test system setup itself before, so this feature will probably ship without CI tests at first. |
If there isn't any further comment or review on this, I'll think I'll merge it on Sunday or Monday. |
I tested this feature branch on a real host.domain.tld on Namecheap and the DNS challenge worked perfectly. Then, I changed LETSENCRYPT_HOST in my container's YAML from host.domain.tld to *.domain.tld. It also worked, but I'm getting an SSL error when I try to access https://host.domain.tld. Is there something I'm doing wrong from a wildcard domain perspective? |
Would you mind giving a few more details? |
I was trying to provide detailed documentation, going step-by-step to reproduce the problem, but I can no longer do so. I've also added a second service using the same wildcard value for LETSENCRYPT_HOST and it works as expected. For reference, here is a relevant sample from a docker compose file:
The certs that are being installed by acme-companion:
At this point, I assume that it was a mistake that I made in the configuration. |
This PR pick up the work done by @daweedm in #1022 ( thanks 👍 )
I tested it with Gandi Live DNS, seems to work without issue.
@pini-gh I know you worked on a DNS-01 fork too, so a review would be welcome.
Ideally I'd also like this to include wildcard certificate compatibility before merge.